Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

I've only just been logged out on the ios app.

I was logged out too.

I wonder why I'd been logged out! I thought I'd been suspended or something. I was trying to think what I could have said to offend someone.

@PearsandWine

It does sound as if some posters are not using special purpose emails and are using real names and addresses and possibly other info.

Irrespective of anything else PLEASE don't use your real details for any SM site inc MN and FB. If you have please deregister and re-register.

I agree with this. I have a throwaway address for mumsnet, and my real name is not on here. Not even my real location. I don't think ANYone who accessed my account could possibly find out anything personal about me. Even if they accessed my email, they would only find emails from mumsnet/about mumsnet, like notifications and so on! I haven't even got any private messages.

I would be very worried if I used an email address with my real full name though, or if I was someone who used facebook to log in!

I always use throwaway email addresses without my real name for forums such as this. As the poster above said, maybe everyone who is registered with an email address that identifies them (or is on here via their facebook,) should deregister, and re-register under a throwaway name and email address.

I thought there was no problem with the app? I've just been logged out.
Using iOS on iPhone.

Really getting quite worried now MNHQ.

All weird and chaotic. Really would expect better.

@Wedgiecar58 I read it as if you were logging in during those times - since the swap of details was occurring because two users were logging in at the same time.

No need to get the arse about it. Pretty understandable to want full clarification about a situation such as this.

'These things happen, no harm done'

Of course harm could be done.
I've never known anywhere as shit as Mumsnet for data breaches tbh.

Just changed my registered email to a hardly used one and took out all personal info, as this is not the first issue I don't want to have my real info on this website anymore. Hoping that will get rid of the old info though otherwise I'll need to close and open a new account.

Where did you see MNHQ is contacting the ICO, @WonderTweek?

Have you contacted the ICO, MNHQ?

So the site is not letting me change my password as it won't recognise my current password, yet it will let me post here???

What a shambles. As a commercial organisation, you can't just take all the ad money and all the payments for selling the posts to the Daily Mail etc, then just not bother sorting out the IT security properly.

new, you were logged out as everyone was so that you would have to re-enter your password on login. It was a sensible thing for MN to do.

On deleton of past messages it probably depends what the terms and conditions say. I suspect a past anonymous message may not be personal data with a right of deletion under data protection laws but I may be wrong. In fact it would be useful to know. If the message can identify someone (eg some of my posts could be used to find out my real identity then even a supposedly anonymous post might become identifable personal data)

I don't think your posts belong to you once they are on the site but to Mumsnet. Hence, the reason they can sell/allow other sites to use them as they want.

Mumsnet - please clarify - is this correct?

So finally MNHQ stickies this thread in Site Stuff and AIBU at nearly 1pm today - but still hasn't stickied it in Chat as well. Why on earth not?

Can't believe people put so much identifying info about themselves on mn

The board itself and how prang and name changy everyone is would make you think it would all be burner emails and nothing linking back to real you

@runoutofnamechanges

Thanks for reminder re checking recent activity on mail client. Haven't looked for ages, but having just checked the email account I use for this site.

Whilst results are unlikely to be connected to this current event (except perhaps the entry on TuesdY 5th?), it was a sharp reminder to check it more frequently, as it reported several, thankfully blocked, attempts at accessing my mail account.

It does sound as if some posters are not using special purpose emails and are using real names and addresses and possibly other info.

This only applies if people post things on Mumsnet that they wouldn't want anyone else to know (just in case anyone is panicked by that statement). Not everyone posts sensitive information or personal information you wouldn't want to share.

@paxillin MNHQ have said they will be contacting the Information Commissioner in their OP.

Thanks for the information, MNHQ. It's clear that there has been a breach and extent of posters affected is unknown at the moment. I haven't had an e-mail, but did have to log in and again so does this mean that there's some sort of safeguard there, if the passwords are actually encrypted and unobtainable. Is that the case?

I'm personally only aware of one other instance where this happened so the reports of 'frequent' issues don't resonate with me. How many incidents have there actually been then?

To those posters having a pop and a little bitch along with a threat about leaving. Leave then, ask for your posts to be deleted and all of your details scrubbed, I'm sure you'll be obliged.

There's just no need for the rudeness and chucking your weight about, it gets on my nerves. I don't have personal details on this site and I'm sure I'm not alone in that. MN isn't a bank, it's a chatboard.

@HankNPat

So finally MNHQ stickies this thread in Site Stuff and AIBU at nearly 1pm today - but still hasn't stickied it in Chat as well. Why on earth not?

Hi we stickied it in Active (by far the most active page on the site as soon as it was written). It's a manual process to sticky all over the site so it took a little while. We're not in any way trying to bury this - the opposite.

Thank you, @PCohle. How did I not see that?

@JustineMumsnet

[quote HankNPat] So finally MNHQ stickies this thread in Site Stuff and AIBU at nearly 1pm today - but still hasn't stickied it in Chat as well. Why on earth not?

Hi we stickied it in Active (by far the most active page on the site as soon as it was written). It's a manual process to sticky all over the site so it took a little while. We're not in any way trying to bury this - the opposite.[/quote]

Oh and we also removed all other stickied threads from Active so it was v prominent...

All this is confusing. Has MN been hacked or is it a breach due to upgrading or whatever MN were doing?
I was logged out this morning after leaving MN unattended for an hour or so and i'm still no wiser.
Tues and weds were fine.
I've never been able to log in conventionally, as in via the MN page, i've always had to log in via my email as in, log into my email, find the relevant email from MN and then click on the 'confirm your email address' which is bloody annoying.

However, as i say I'm still no wiser as to what the actual problem is at MN, hacked or gone tits up during a change thing.

I have not had an email yet.
Tbh having been hit when the site has been hacked before I am seriously considering deleting my account.

Please can MNHQ tell me if my account was affected. Thanks.